--- tags: 48-INS --- # 2: Certification, PKI, and Kerberos ## Certification, PKI and Kerberos ## Certificates(I) ### Certification Authority (CA) [Youtube: Practical Networking](https://www.youtube.com/@PracticalNetworking) - Crytographic binding between an identity (e.g. name) and a public key. - Only the CA can generate the certificate. May contain: - period of validity of the public key - extra information (e.g., signature algorithm) ### X.509 Certificates [X.509 wiki](https://en.wikipedia.org/wiki/X.509) ### Certification Process - An identity is typically a server's domain name. ## Public Key Infrastructures (PKI) ### CRL (Certification Revocation List) ## Kerberos ### Key Distribution Centre (KDC) # Lab 2: PKI and OpenSSL In this lab, we will become a root CA ourselves, and then use this CA to issue certificate for others (e.g. servers). ## PKI ### X509 ### OpenPGP ```shell= $ openssl x509 -in ∼/Desktop/COMM048/Lab2/bing.com.pem -noout -text # -in # -noout: Omits the output of the encoded version of the private key. ``` ```shell= $ od -vAn -N4 -tx1 < /dev/urandom | tr -d ’ ’ > demoCA/serial # -v: do not use * to mark line suppression?? # -A[doxn]: d-> decimal, o-> octal, x-> hex, n-> none # -tx1: This formats the output as "hexadecimal" digits (using 1 characters per byte), separated by spaces. ``` ```shell= $ openssl req -new -x509 -keyout private/cakey.pem -out cacert.crt -config ../LabCA.cnf # password: demo # Common Name: Lab Demo ``` ### Ex 2.4 (Public Key Certificates) Display the content of **www.barclays.co.uk.pem** and **www.franziskuskiefer.de.pem** - Who is the Certificate Authority? ```shell= $ openssl x509 -in ~/Desktop/COMM048/Lab2/www.barclays.co.uk.pem -noout -text | grep CA :' Certificate: Data: Version: 3 (0x2) Serial Number: 01:60:10:d9:a1:64:17:1d:b4:43:a4:2e:53:ac:29:77 Signature Algorithm: sha1WithRSAEncryption Issuer: C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)06, CN = VeriSign Class 3 Extended Validation SSL SGC CA Validity Not Before: Jan 21 00:00:00 2014 GMT Not After : Jan 22 23:59:59 2015 GMT Subject: jurisdictionC = GB, businessCategory = Private Organization, serialNumber = 01026167, C = GB, postalCode = E14 5HP, ST = London, L = London, street = 1 Churchill Place, O = Barclays Bank PLC, OU = Digital Banking, CN = www.barclays.co.uk Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:f7:03:84:da:c2:5e:20:30:cd:1d:9b:1f:e0:32: 05:31:0c:c8:b1:0b:8e:ed:47:17:4b:28:2a:b0:f0: 11:97:1a:e7:a7:09:07:49:99:1c:23:b9:3c:68:43: f1:2b:32:1f:67:35:47:8d:da:45:25:75:84:fa:8c: 87:21:9e:2e:7f:7b:f0:48:54:0b:71:22:38:8d:5c: 8b:3e:b2:26:96:ff:85:d3:dc:a7:9d:24:f3:5d:9b: e0:cf:9c:35:7b:2c:f0:3a:39:bc:31:32:21:f9:fc: ee:5b:82:7a:30:5d:22:fd:98:6d:7c:52:2a:7b:6e: 80:f0:4c:c4:51:01:14:9d:de:bf:74:62:90:36:89: 0f:14:91:1f:2f:f6:25:f8:d8:63:45:7b:0a:17:63: 02:05:6a:d2:42:79:66:a8:1d:b9:4f:46:85:0b:28: 8c:dc:2b:11:33:8f:f0:91:23:9e:4c:3a:0c:01:92: 7d:eb:9b:68:79:eb:ff:a0:ac:41:48:1a:a3:49:cf: 96:a9:9b:f4:0e:ca:46:b6:ed:9b:6d:ea:02:5f:62: 75:73:de:cf:c8:d9:9e:f8:76:02:86:ec:25:72:e4: 20:ab:64:0b:e0:4e:2c:39:f8:8e:9c:f9:56:3d:c5: f4:a8:28:3a:70:86:01:1f:f1:f1:1d:8e:92:68:ad: 28:25 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:www.barclays.co.uk X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication, Netscape Server Gated Crypto X509v3 Certificate Policies: Policy: 2.16.840.1.113733.1.7.23.6 CPS: https://www.verisign.com/cps X509v3 Subject Key Identifier: 99:DC:63:25:C7:25:06:E9:B0:67:50:65:7A:52:59:7A:87:5E:A2:C6 X509v3 Authority Key Identifier: keyid:4E:43:C8:1D:76:EF:37:53:7A:4F:F2:58:6F:94:F3:38:E2:D5:BD:DF X509v3 CRL Distribution Points: Full Name: URI:http://EVIntl-crl.verisign.com/EVIntl2006.crl Authority Information Access: OCSP - URI:http://EVIntl-ocsp.verisign.com CA Issuers - URI:http://EVIntl-aia.verisign.com/EVIntl2006.cer Signature Algorithm: sha1WithRSAEncryption 2d:6f:ae:7a:df:a2:d0:7a:bd:3a:b9:34:5a:dd:c4:ae:39:bf: ba:04:3d:e5:7d:39:05:49:41:41:24:7d:dc:c3:20:3e:60:7a: 9f:29:37:7f:42:22:be:1a:11:91:89:c8:c6:e2:34:25:4e:0a: 73:ea:4c:63:a9:d8:33:b9:46:8a:7a:47:65:10:3a:14:b2:5c: 9e:08:1b:6a:3d:03:7b:72:e5:a9:96:5d:0e:9a:11:c5:9f:90: cb:07:66:07:85:4a:3b:e7:9d:cd:e6:0f:25:7c:85:28:b1:a2: 9c:b8:e0:d6:b2:33:c2:4e:55:17:aa:51:9e:f5:19:f6:94:09: a5:6f:88:24:28:fd:67:ef:46:d8:ce:d8:57:e0:ea:f7:83:94: 3c:dd:2f:9d:b7:e1:17:c9:bf:5f:0c:1e:89:f3:69:de:e4:eb: 1d:45:00:db:f8:1c:e5:d2:0a:2c:73:07:3e:5a:ff:91:f7:42: 07:69:3c:5e:be:11:38:80:53:7f:75:5e:d9:1a:91:08:0d:cd: 62:ed:24:0a:e8:93:41:70:59:49:eb:f4:60:6e:16:da:16:f1: 94:9f:cd:33:32:1a:19:d5:66:61:d2:59:03:90:e8:0b:96:d5: d8:f6:8a:4a:39:2d:50:57:91:99:08:52:0d:f7:fc:a4:fd:30: 93:66:95:5b ' $ openssl x509 -in ~/Desktop/COMM048/Lab2/www.franziskuskiefer.de.pem -noout -text | grep CA :' Certificate: Data: Version: 3 (0x2) Serial Number: 919356 (0xe073c) Signature Algorithm: sha256WithRSAEncryption Issuer: C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA Validity Not Before: Jan 20 08:14:57 2014 GMT Not After : Jan 21 04:57:15 2015 GMT Subject: C = DE, CN = www.franziskuskiefer.de, emailAddress = postmaster@franziskuskiefer.de Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus: 00:ab:7e:b1:26:c9:d2:d3:c9:ee:a4:1c:32:03:cc: 8d:cd:58:fb:c7:6c:4d:13:69:1d:7c:24:a0:ba:ef: 40:2e:b4:76:95:22:c3:ba:22:1e:74:b9:9d:cc:2f: fc:ad:07:14:e5:8e:9b:32:84:37:00:10:12:6d:1d: 0f:6e:b8:97:43:9f:46:7f:0f:b5:b2:97:2d:31:9f: 2c:d3:e2:88:b1:51:a1:5c:f7:23:a8:49:b3:a6:24: 76:af:32:7b:7b:36:17:02:3f:ee:bb:cf:88:63:e7: 22:3e:89:79:aa:b8:e2:6e:6c:c8:76:a2:09:c5:71: a7:dd:8f:db:0f:9b:6f:4c:01:e4:d5:98:51:c7:12: 90:43:e8:bd:00:d6:c9:f2:6a:16:ba:55:73:91:e7: 8f:a0:f6:85:08:b4:73:ae:5d:b5:84:01:79:4e:de: 39:c5:2f:26:55:57:6a:bc:59:0a:30:09:ce:ce:36: 64:41:34:4d:d4:bc:96:8a:c5:d4:fa:bc:88:e1:c3: 74:d8:4c:ef:80:fb:56:24:e7:3a:b6:c3:64:a4:35: 48:15:83:68:2d:18:72:fd:5c:9d:bb:ba:08:bc:a3: 7b:b0:e3:f6:b6:1c:c3:19:5b:2a:69:eb:ba:28:87: e0:9a:59:ab:a3:e0:11:9b:74:94:ca:a2:9c:bb:d9: a9:2d:6f:63:c1:22:ed:2d:66:c7:96:65:be:e3:d5: f9:e1:11:53:13:fd:cf:07:e9:be:78:46:16:b8:4b: 90:31:e9:66:77:7d:9e:39:33:1b:47:d7:c9:e0:86: ba:7f:7d:2a:88:89:c1:70:a4:1b:8a:92:d5:73:43: fb:9d:04:94:6d:fd:9e:fb:17:65:e3:1e:f8:3f:ff: b1:7e:cf:2c:90:04:b2:15:c0:69:0c:69:09:74:c1: 60:0c:69:ef:73:13:ab:b5:82:41:4c:8e:aa:0f:7a: e0:68:77:d5:ed:d5:6e:e9:2d:2c:7d:37:1a:ad:5a: 2c:85:76:26:92:e7:7e:4f:54:2f:57:f4:0f:16:af: 7e:7a:02:af:1d:97:7c:eb:c3:3f:26:a3:a1:d1:69: f1:5a:66:b9:3c:df:1c:51:0a:99:3d:e3:cc:f6:02: 50:cf:8e:8f:85:27:d5:25:85:9f:d8:50:31:98:ff: a3:e0:7e:da:55:3d:e4:31:0e:d7:2a:30:b9:be:2a: c6:f2:f6:f3:8b:93:9b:33:2a:8f:a3:64:d1:98:e8: da:77:e4:a3:64:9f:fe:e4:c6:a6:b7:c0:c3:84:f4: 8d:d0:20:11:f8:f1:cc:5c:0c:bf:5c:68:7f:f7:46: 32:2e:a1:31:94:53:ae:64:1d:c4:48:14:c8:83:37: c0:43:01 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment, Key Agreement X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Subject Key Identifier: 2F:05:D6:17:4D:F3:4A:D6:D1:0B:16:C8:D6:5B:CC:9D:CF:93:4F:EA X509v3 Authority Key Identifier: keyid:EB:42:34:D0:98:B0:AB:9F:F4:1B:6B:08:F7:CC:64:2E:EF:0E:2C:45 X509v3 Subject Alternative Name: DNS:www.franziskuskiefer.de, DNS:franziskuskiefer.de X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.23223.1.2.3 CPS: http://www.startssl.com/policy.pdf User Notice: Organization: StartCom Certification Authority Number: 1 Explicit Text: This certificate was issued according to the Class 1 Validation requirements of the StartCom CA policy, reliance only for the intended purpose in compliance of the relying party obligations. X509v3 CRL Distribution Points: Full Name: URI:http://crl.startssl.com/crt1-crl.crl Authority Information Access: OCSP - URI:http://ocsp.startssl.com/sub/class1/server/ca CA Issuers - URI:http://aia.startssl.com/certs/sub.class1.server.ca.crt X509v3 Issuer Alternative Name: URI:http://www.startssl.com/ Signature Algorithm: sha256WithRSAEncryption 4b:af:10:1c:3a:dc:bc:1d:3c:60:18:42:5c:a7:55:46:3a:7d: 56:7e:bf:49:0b:63:54:d1:57:2b:38:33:95:27:c8:21:8f:9a: 39:a1:c7:10:70:84:01:85:22:3a:86:96:1e:97:8d:d7:10:4c: e4:0c:66:75:3d:86:3d:84:c9:48:cd:67:38:78:36:27:83:83: 62:d6:81:f0:6a:12:68:d2:f5:80:a5:a1:e4:dc:cd:14:56:80: e2:46:e1:94:a0:23:0f:f8:d9:c9:c1:bb:f0:33:b2:67:a4:2c: 23:0b:1f:d5:76:28:84:a8:65:02:30:d5:1e:20:8b:97:82:c4: 47:42:e2:1b:c8:60:ce:4b:88:d9:e8:d6:54:2f:a6:4b:1e:4b: c0:a5:02:f6:b5:dc:7e:5d:b2:34:01:51:db:d1:cc:8e:55:c3: 5c:85:4d:c0:5f:e1:a8:3f:7e:6e:3b:3a:f6:41:f5:39:4c:c2: 6c:c1:bc:e4:b2:51:c1:34:89:43:61:f9:3c:a6:8d:e6:1a:dd: de:eb:e4:2d:43:43:39:ad:20:37:c8:0a:ae:f6:ee:d9:05:8a: ee:de:4a:35:ef:bc:7a:3e:50:61:13:ba:ed:ee:61:db:ba:14: 9f:4d:bb:bc:ca:e8:89:76:ed:78:89:3f:c1:5c:25:46:fa:24: 4e:00:8f:48 ' ```